This page contains a Flash digital edition of a book.
how to guide: PCI DSS


Stay PCI DSS compliant Organisations that handle credit card data must remain vigilant


if they are to maintain PCI compliance


THE payment card industry data security standard (PCI DSS) was launched in 2004 as a replacement of the credit card company- specific standards that came before it. The idea was to allow merchants that handled credit card data to meet a single set of requirements that satisfied all credit card providers. Any organisation that handles credit card


data should already be compliant with the standard. However, it is not good enough to tick the compliance box once and forget about it. Some of the requirements of the standard


call for constant vigilance. For example, requirement 6.1 insists that all systems involved in handling credit card data must be up to date with the latest security patches. Similarly, requirement 6.6 demands that


organisations secure the application functionality of their websites, either by implementing regular code reviews, automated or manual, or by installing a web application firewall (the best approach, the standard recommends, is to adopt both). Automated code scanners and web application firewalls must be kept up to date


WWW.INFORMATION-AGE.COM


so that they can recognise new threats. Another consideration is that the standard


itself changes over time. US retailer TJ Maxx was PCI DSS compliant


when it fell victim to a notorious cyber attack in which hackers made off with millions of its customers’ credit card numbers. At the time, the standard did not specify


that credit card data should be encrypted as it moved around an organisation’s internal network. The TJ Maxx hackers, however, compromised automated customer service kiosks in retail outlets and intercepted credit card data from within the internal network. PCI DSS has since been updated to include encryption on internal networks.


Moving standard The latest update to PCI DSS was version 2.0, and organisations were obliged to meet its requirements by 1 January 2012. There were no major revisions in version 2.0, although it did clarify some contentious issues. For example, version 2.0 asserted that no


two primary functions of a system that handles credit card data – application functionality, database, web server, etc –


WWW.F5.COM 13


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20